Web Hacking ............................................................................................................313

xviii
◾ 
Contents
Etsy.com Password Reset Vulnerability ...........................................................................319
Attacking Form-Based Authentication .................................................................. 320
Brute Force Attack ......................................................................................................... 322
Attacking HTTP Basic Auth ................................................................................ 323
Further Reading ............................................................................................................ 326
Log-In Protection Mechanisms ............................................................................. 326
CAPTCHA Validation Flaw ................................................................................ 326
CAPTCHA Reset Flaw ........................................................................................ 328
Manipulating User-Agents to Bypass CAPTCHA and Other Protections .............329
Real-World Example ............................................................................................. 330
Authentication Bypass Attacks .............................................................................. 330
Authentication Bypass Using SQL Injection ......................................................... 330
Testing for SQL Injection Auth Bypass ..................................................................331
Authentication Bypass Using XPATH Injection ....................................................333
Testing for XPATH Injection .......................................................................333
Authentication Bypass Using Response Tampering .............................................. 334
Crawling Restricted Links ............................................................................................. 334
Testing for the Vulnerability ...........................................................................................335
Automating It with Burp Suite ............................................................................. 336
Authentication Bypass with Insecure Cookie Handling ................................................. 336
Session Attacks ......................................................................................................339
Guessing Weak Session ID ....................................................................................339
Session Fixation Attacks ....................................................................................... 341
Requirements for This Attack ........................................................................................ 342
How the Attack Works .................................................................................................. 342
SQL Injection Attacks .......................................................................................... 342
What Is an SQL Injection? ................................................................................... 342
Types of SQL Injection ......................................................................................... 342
Union-Based SQL Injection ........................................................................ 343
Error-Based SQL Injection .......................................................................... 343
Blind SQL Injection .................................................................................... 343
Detecting SQL Injection ...................................................................................... 343
Determining the Injection Type ........................................................................... 343
Union-Based SQL Injection (MySQL).................................................................. 344
Testing for SQL Injection .............................................................................................. 344
Determining the Number of Columns ..................................................................345
Determining the Vulnerable Columns .................................................................. 346
Fingerprinting the Database ................................................................................. 347
Enumeration Information ..................................................................................... 347
Information_schema ............................................................................................. 348
Information_schema Tables .................................................................................. 348
Enumerating All Available Databases ................................................................... 348
Enumerating All Available Tables in the Database ................................................ 349
Extracting Columns from Tables .......................................................................... 349
Extracting Data from Columns .............................................................................350
Using 
group _ concat
.....................................................................................350
MySQL Version ≤ 5 ...............................................................................................351

Contents
◾ 
xix
Guessing Table Names ....................................................................................................351
Guessing Columns.................................................................................................352
SQL Injection to Remote Command Execution ....................................................352
Reading Files ..................................................................................................................353
Writing Files ...................................................................................................................353
Blind SQL Injection ..............................................................................................355
Boolean-Based SQLi .....................................................................................355
True Statement ......................................................................................................355
False Statement ......................................................................................................356
Enumerating the DB User .....................................................................................356
Enumerating the MYSQL Version .........................................................................358
Guessing Tables .....................................................................................................358
Guessing Columns in the Table .............................................................................359
Extracting Data from Columns ............................................................................ 360
Time-Based SQL Injection ....................................................................................361
Vulnerable Application ...................................................................................................361
Testing for Time-Based SQL Injection .......................................................................... 362
Enumerating the DB User .................................................................................... 362
Guessing the Table Names .................................................................................... 363
Guessing the Columns .......................................................................................... 364
Extracting Data from Columns .............................................................................365
Automating SQL Injections with Sqlmap ............................................................. 366
Enumerating Databases .........................................................................................367
Enumerating Tables ...............................................................................................367
Enumerating the Columns ....................................................................................367
Extracting Data from the Columns ...................................................................... 368
HTTP Header–Based SQL Injection ................................................................... 368
Operating System Takeover with Sqlmap ............................................................. 369
OS-CMD
........................................................................................................................ 369
OS-SHELL
.................................................................................................................... 369
OS-PWN
..........................................................................................................................370
XSS (Cross-Site Scripting) ..............................................................................................371
How to Identify XSS Vulnerability .................................................................................371
Types of Cross-Site Scripting ..........................................................................................371
Reflected/Nonpersistent XSS ..........................................................................................372
Vulnerable Code ....................................................................................................372
Medium Security ............................................................................................................373
Vulnerable Code ....................................................................................................373
High Security .................................................................................................................373
Bypassing htmlspecialchars ....................................................................................374
UTF-32 XSS Trick: Bypass 1 ..........................................................................................375
Svg Craziness: Bypass 2 ...................................................................................................375
Bypass 3: href Attribute ..................................................................................................376
Stored XSS/Persistent XSS ............................................................................................. 377
Payloads ......................................................................................................................... 377
Blind XSS .......................................................................................................................378
DOM-Based XSS ...........................................................................................................378

xx
◾ 
Contents
Detecting DOM-Based XSS ..................................................................................378
Sources (Inputs) ............................................................................................378
Sinks (Creating/Modifying HTML Elements) .............................................378
Static JS Analysis to Identify DOM-Based XSS .................................................... 384
How Does It Work? ...............................................................................................385
Setting Up JSPRIME ............................................................................................385
Dominator: Dynamic Taint Analysis ............................................................................. 390
POC for Internet Explorer ............................................................................................. 394
POC for Chrome ........................................................................................................... 394
Pros/Cons .......................................................................................................................395
Cross Browser DOM XSS Detection ..............................................................................395
Types of DOM-Based XSS ............................................................................................ 397
Reflected DOM XSS ............................................................................................ 397
Stored DOM XSS ................................................................................................. 397
Exploiting XSS ..................................................................................................... 399
Cookie Stealing with XSS ..................................................................................... 399
Exploiting XSS for Conducting Phishing Attacks ................................................. 402
Compromising Victim’s Browser with XSS ........................................................... 404
Exploiting XSS with BeEF ............................................................................................. 405
Setting Up BeEF on BackTrack ..................................................................................... 405
Demo Pages ................................................................................................................... 408
BeEF Modules ...................................................................................................... 409
Module: Replace HREFs ............................................................................. 409
Module: Getcookie ...................................................................................... 409
Module: Tabnabbing ....................................................................................410
BeEF in Action ......................................................................................................412
Cross-Site Request Forgery (CSRF) ................................................................................413
Why Does a CSRF Attack Work? ...................................................................................413
How to Attack ................................................................................................................413
GET-Based CSRF ...........................................................................................................414
POST-Based CSRF .........................................................................................................414
CSRF Protection Techniques ..........................................................................................415
Referrer-Based Checking ................................................................................................415
Anti-CSRF Tokens .........................................................................................................415
Predicting/Brute Forcing Weak Anti-CSRF Token Algorithm .......................................416
Tokens Not Validated upon Server .................................................................................416
Analyzing Weak Anti-CSRF Token Strength .................................................................417
Bypassing CSRF with XSS .............................................................................................419
File Upload Vulnerabilities ....................................................................................421
Bypassing Client Side Restrictions ........................................................................ 423
Bypassing MIME-Type Validation ....................................................................... 423
Real-World Example ...................................................................................................... 425
Bypassing Blacklist-Based Protections................................................................... 425
Case 1: Blocking Malicious Extensions ................................................................. 425
Bypass.......................................................................................................... 426
Case 2: Case-Sensitive Bypass ............................................................................... 426
Bypass.......................................................................................................... 426

Contents
◾ 
xxi
Real-World Example ...................................................................................................... 426
Vulnerable Code ................................................................................................... 426
Case 3: When All Dangerous Extensions Are Blocked ......................................... 426
XSS via File Upload ..................................................................................... 427
Flash-Based XSS via File Upload ................................................................. 428
Case 4: Double Extensions Vulnerabilities ............................................................ 429
Apache Double Extension Issues .................................................................. 429
IIS 6 Double Extension Issues ..................................................................... 429
Case 5: Using Trailing Dots ................................................................................. 429
Case 6: Null Byte Trick ........................................................................................ 429
Case 7: Bypassing Image Validation ...................................................................... 429
Case 8: Overwriting Critical Files ......................................................................... 430
Real-World Example .......................................................................................................431
File Inclusion Vulnerabilities ...........................................................................................431
Remote File Inclusion .................................................................................................... 432
Patching File Inclusions on the Server Side .................................................................... 433
Local File Inclusion .............................................................................................. 433
Linux .................................................................................................................... 434
Windows .............................................................................................................. 434
LFI Exploitation Using /proc/self/environ ............................................................. 434
Log File Injection.................................................................................................. 436
Finding Log Files: Other Tricks ............................................................................ 440
Exploiting LFI Using PHP Input .......................................................................... 440
Exploiting LFI Using File Uploads ....................................................................... 441
Read Source Code via LFI .................................................................................... 442
Local File Disclosure Vulnerability ....................................................................... 443
Vulnerable Code .......................................................................................... 443
Local File Disclosure Tricks .................................................................................. 445
Remote Command Execution............................................................................... 446
Uploading Shells ................................................................................................... 448
Server Side Include Injection .................................................................................452
Testing a Website for SSI Injection .................................................................................452
Executing System Commands ........................................................................................453
Spawning a Shell .............................................................................................................453
SSRF Attacks ..................................................................................................................454
Impact ............................................................................................................................455
Example of a Vulnerable PHP Code ......................................................................456
Remote SSRF ........................................................................................................457
Simple SSRF .................................................................................................457
Partial SSRF .................................................................................................458
Denial of Service ............................................................................................................ 463
Denial of Service Using External Entity Expansion (XEE) ................................... 463
Full SSRF ............................................................................................................. 464
dict:// ........................................................................................................... 464
gopher:// .......................................................................................................465
http:// ...........................................................................................................465
Causing the Crash ................................................................................................ 466

xxii
◾ 
Contents
Overwriting Return Address .......................................................................................... 467
Generating Shellcode ..................................................................................................... 467
Server Hacking .............................................................................................................. 469
Apache Server .................................................................................................................470
Testing for Disabled Functions ..............................................................................470
Open _ basedir
Misconfiguration ...................................................................472
Using CURL to Bypass 
Open _ basedir
Restrictions ......................................474
Open _ basedir
PHP 5.2.9 Bypass ..................................................................475
Reference ........................................................................................................................476
Bypassing 
open _ basedir
Using CGI Shell ....................................................476
Bypassing 
open _ basedir
Using 
Mod _ Perl, Mod _ Python
.............. 477
Escalating Privileges Using Local Root Exploits ............................................................ 477
Back Connecting ........................................................................................................... 477
Finding the Local Root Exploit ......................................................................................478
Usage ..............................................................................................................................478
Finding a Writable Directory ..........................................................................................479
Bypassing Symlinks to Read Configuration Files ........................................................... 480
Who Is Affected? ............................................................................................................481
Basic Syntax ....................................................................................................................481
Why This Works ................................................................................................... 482
Symlink Bypass: Example 1 .................................................................................. 482
Finding the Username .......................................................................................... 482
/etc/passwd
File .................................................................................... 483
/etc/valiases
File ................................................................................ 483
Path Disclosure ............................................................................................ 483
Uploading .htaccess to Follow Symlinks ............................................................... 484
Symlinking the Configuration Files ...................................................................... 484
Connecting to and Manipulating the Database ............................................................. 485
Updating the Password .................................................................................................. 486
Symlink the Root Directory ................................................................................. 486
Example 3: Compromising WHMCS Server ........................................................ 487
Finding a WHMCS Server ............................................................................................ 487
Symlinking the Configuration File ................................................................................ 488
WHMCS Killer .................................................................................................... 488
Disabling Security Mechanisms ............................................................................ 490
Disabling 
Mod _ Security
.............................................................................. 490
Disabling 
Open _ basedir 
and
Safe _ mode
........................................... 490
Using CGI, PERL, or Python Shell to Bypass Symlinks ........................................491
Conclusion ......................................................................................................................491

Yüklə 22,44 Mb.

Dostları ilə paylaş: